We help IT Professionals succeed at work.

Powershell Script for saving logs from Domain Controller

Hi,

I got a request in from one of our IT security officers who would like a copy of all Domain controller event logs to be kept for analysis. The IT security officer it particularly interested in events 4706/4707 (Domain trust records created/deleted). The IT security officer also wants to know how far back the data relates to.

Is there a powershell script that can be run to help acquire getting this information? We have a number of different domains but he has asked for two in particular.
Comment
Watch Question

HariomExchange Experts
Commented:
Please download this script and modify accordingly.

PowerShell Script Monitors Security Logs and Sends Email Alerts.
http://chinnychukwudozie.com/2014/11/12/powershell-script-monitors-security-logs-and-sends-email-alerts/
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Personally this should be done by using Event Subscriptions Server. See Event Subscripts Setup at the following link below...
https://technet.microsoft.com/en-us/library/cc749183.aspx

The IT security officer also wants to know how far back the data relates to
The logs will only reference back before they get overwritten. Depending if you have auditing enabled your logs may get overwritten hourly due to all of the audit events in the Security Logs. It is a good idea to set the logs on EACH of the DC's to a minimum of 1GB. This is so that when you do event collections you will be able to get all of the logs depeneding on how often it is run against the DC's. If you are not querying the DC's often then your log size should be larger. If not, they will get overwritten.

If you are still set on collecting event log data using powershell then I would recommend using Export-EventLog.ps1 script. See below link for download.
https://gallery.technet.microsoft.com/scriptcenter/Export-EventLog-18a87c2c

Will.